Security system and method for internet of things infrastructure elements

US 10,389,753 B2
Filed: 01/25/2017
Issued: 08/20/2019
Est. Priority Date: 01/23/2017
Status: Active Grant

First Claim

Patent Images

1. A security method for an enterprise infrastructure:

determining a particular unspoofable tag assigned to a particular internet of things (IoT) device in a category of IoT devices that is part of an enterprise infrastructure, wherein each unspoofable tag is assigned to a plurality of IoT devices in the category and each unspoofable tag is certified by a public key certificate that cannot be faked;

retrieving a particular security policy rule assigned to the particular unspoofable tag from a policy rule engine, the policy rule engine having a plurality of security policy rules wherein each security policy rule is assigned to each category of IoT devices, the particular security policy rule defining a security access policy for the particular category of IoT devices;

verifying a certificate of particular category of IoT devices, extracting, an identifier and a tag from the certificate of the particular category of IoT devices and determining whether to permit a communication between the particular category of IoT devices and other category of IoT devices based on the tags of the particular category of IoT devices and the other category of IoT devices; and

implementing a security policy for the particular category of IoT devices in the enterprise infrastructure using the particular security policy rule, the security policy controlling the communications between the particular category of IoT devices and other category of IoT devices of the enterprise infrastructure.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system and method are provided that manage the security of a plurality of internet of things (IoT) devices that are part of an enterprise infrastructure. The security system and method may use unspoofable tags wherein each unspoofable tag may be assigned to a category of IoT devices and each unspoofable tag may have a security policy rule assigned to the unspoofable tag (and thus the category of IoT devices) so that IoT devices that are part of the enterprise infrastructure are secured by the security policy rule.

64 Citations

View as Search Results

32 Claims

1. A security method for an enterprise infrastructure:
- determining a particular unspoofable tag assigned to a particular internet of things (IoT) device in a category of IoT devices that is part of an enterprise infrastructure, wherein each unspoofable tag is assigned to a plurality of IoT devices in the category and each unspoofable tag is certified by a public key certificate that cannot be faked;
  
  retrieving a particular security policy rule assigned to the particular unspoofable tag from a policy rule engine, the policy rule engine having a plurality of security policy rules wherein each security policy rule is assigned to each category of IoT devices, the particular security policy rule defining a security access policy for the particular category of IoT devices;
  
  verifying a certificate of particular category of IoT devices, extracting, an identifier and a tag from the certificate of the particular category of IoT devices and determining whether to permit a communication between the particular category of IoT devices and other category of IoT devices based on the tags of the particular category of IoT devices and the other category of IoT devices; and
  
  implementing a security policy for the particular category of IoT devices in the enterprise infrastructure using the particular security policy rule, the security policy controlling the communications between the particular category of IoT devices and other category of IoT devices of the enterprise infrastructure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising assigning an existing unspoofable tag when the particular IoT device is part of a category of IoT devices to which the existing unspoofable tag is already assigned.
  - 3. The method of claim 1 further comprising generating a new unspoofable tag for the particular IoT device when the particular IoT device does not belong to an existing category of IoT device to which an unspoofable tag is already assigned.
  - 4. The method of claim 3, wherein generating the new unspoofable tag further comprises generating the new unspoofable tag based on an authentication key of the particular IoT device.
  - 5. The method of claim 4, wherein the authentication key is one of a media access control (MAC) address of the particular IoT device and an universally unique identifier of the particular IoT device.
  - 6. The method of claim 4, wherein generating the new unspoofable tag further comprises generating a public key certificate for the new unspoofable tag.
  - 7. The method of claim 3 further comprising providing a security policy rule assigned to the new unspoofable tag.
  - 8. The method of claim 1, wherein implementing the security policy further comprises deploying a policy enforcement point adjacent the particular IoT device to implement the security policy for the particular IoT device.
  - 9. The method of claim 8, wherein implementing the security policy further comprises deploying a transport layer end point adjacent the particular IoT device.
  - 10. The method of claim 1, wherein each security policy rule is an access rule.
  - 11. The method of claim 10, wherein the access rule is a whitelist.
  - 12. The method of claim 1, wherein determining whether to permit the communication further comprises retrieving a tag for the other category of IoT devices, and comparing a require parameter in the tag of the other category of IoT devices to the tag of the particular category of IoT devices.
  - 13. The method of claim 12, wherein comparing the required parameter in the tag of the other category of IoT devices to the tag of the particular category of IoT devices further comprises permitting the communication between the particular category of IoT devices and the other category of IoT devices if the tag of the particular category of IoT devices matches a tag in the require parameter of the other category of IoT devices.

14. An apparatus, comprising:
- a transport layer service (TLS) element that is coupled to an infrastructure, the infrastructure having a plurality of internet of things (IoT) device that form part of the infrastructure;
  
  the TLS element having a controller that enforces a security policy rule for each IoT device that is part of the infrastructure;
  
  the TLS element having a tag engine that determines a particular unspoofable tag assigned to a particular IoT device in a category of IoT devices, wherein each unspoofable tag is assigned to a plurality of IoT devices in the category and each unspoofable tag is certified by a public key certificate that cannot be faked;
  
  the TLS element having a security policy rule engine from which a particular security policy rule assigned to the particular unspoofable tag is retrieved, the policy rule engine having a plurality of security policy rules wherein each security policy rule is assigned to each category of IoT devices, the particular security policy rule defining a security access policy for the particular category of IoT devices;
  
  the TLS element having a policy enforcement point connected to the controller that is capable of verifying a certificate of the particular category of IoT devices, extracting an identifier and a tag from the certificate of the particular category of IoT devices and determining whether to permit a communication between the particular category of IoT devices and the other category of IoT devices based on the tags of the particular category of IoT devices and the other category of IoT devices; and
  
  the TLS element configured to implement a security policy for the particular category of IoT devices across the infrastructure using the particular security policy rule, the security policy controlling the communications between the particular category of IoT devices and other category of IoT devices of the enterprise infrastructure.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The apparatus of claim 14, wherein the tag engine is configured to assign an existing unspoofable tag when the particular IoT device is part of a category of IoT devices to which the existing unspoofable tag is already assigned.
  - 16. The apparatus of claim 14, wherein the tag engine is configured to generate a new unspoofable tag for the particular IoT device when the particular IoT device does not belong to an existing category of IoT device to which an unspoofable tag is already assigned.
  - 17. The apparatus of claim 16, wherein the tag engine generates the new unspoofable tag based on an authentication key of the particular IoT device.
  - 18. The apparatus of claim 17, wherein the authentication key is one of a media access control (MAC) address of the particular IoT device and an universally unique identifier of the particular IoT device.
  - 19. The apparatus of claim 17, wherein the tag engine generates a public key certificate for the new unspoofable tag.
  - 20. The apparatus of claim 16, wherein the security policy engine is configured to provide a security policy rule assigned to the new unspoofable tag.
  - 21. The apparatus of claim 14 further comprising a policy enforcement point coupled to the controller that is configured to be deployed adjacent the particular IoT device to implement the security policy for the particular IoT device.
  - 22. The apparatus of claim 21 further comprising a transport layer end point that is configured to be deployed adjacent the policy enforcement point.
  - 23. The apparatus of claim 14, wherein each security policy rule is an access rule.
  - 24. The apparatus of claim 23, wherein the access rule is a whitelist.
  - 25. The apparatus of claim 14, wherein the policy enforcement point is capable of retrieving a tag for the other category of IoT devices, and comparing a require parameter in the tag of the other category of IoT devices to the tag of the particular category of IoT devices.
  - 26. The apparatus of claim 25, wherein the policy enforcement point is capable of permitting the communication between the particular category of IoT devices and the other category of IoT devices if the tag of the particular category of IoT devices matches a tag in the require parameter of the other category of IoT devices.

27. A method for security for an internet of things (IoT) device in an enterprise infrastructure, the method comprising:
- identifying an IoT device that is part of an enterprise infrastructure;
  
  determining a particular unspoofable tag assigned to the discovered IoT device in a category of IoT devices, wherein each unspoofable tag is assigned to a plurality of IoT devices in the category and each unspoofable tag is certified by a public key certificate that cannot be faked;
  
  identifying a particular security policy rule assigned to the particular unspoofable tag from a policy rule engine, the policy rule engine having a plurality of security policy rules wherein each security policy rule is assigned to each category of IoT devices, the particular security policy rule defining a security policy for the particular category of IoT devices wherein the particular security policy rule implements enterprise infrastructure security for the discovered IoT device; and
  
  verifying a certificate of particular category of IoT devices, extracting, an identifier and a tag from the certificate of the particular category of IoT devices and determining whether to permit a communication between the particular category of IoT devices and other category of IoT devices based on the tags of the particular category of IoT devices and the other category of IoT devices.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The method of claim 27, wherein identifying the particular security policy rule assigned to the particular unspoofable tag further comprises assigning the particular security policy rule from the plurality of security policy rules in the policy engine.
  - 29. The method of claim 27, wherein identifying the particular security policy rule assigned to the particular unspoofable tag further comprises generating a new security policy rule for the discovered IoT device and storing the new security policy rule in the policy engine.
  - 30. The method of claim 27, wherein determining a particular unspoofable tag assigned to the discovered IoT device further comprises assigning an existing unspoofable tag to the discovered IoT device when the IoT device is part of an existing category of IoT devices.
  - 31. The method of claim 27, wherein determining a particular unspoofable tag assigned to the discovered IoT device further comprises generating a new unspoofable tag to the discovered IoT device when the IoT device is not part of an existing category of IoT devices.
  - 32. The method of claim 31, wherein identifying the particular security policy rule assigned to the new unspoofable tag further comprises generating a new security policy rule for the discovered IoT device and storing the new security policy rule in the policy engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NTT Research, Inc. (Nippon Telegraph and Telephone Corporation)
Original Assignee
NTT Innovation Institute, Inc. (Nippon Telegraph and Telephone Corporation)
Inventors
Kawashima, Masahisa, Choudhry, Moosa, Yamamoto, Go, Boyer, Rich
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Sarker, Sanchit K

Application Number

US15/415,629
Publication Number

US 20180212768A1
Time in Patent Office

937 Days
Field of Search

713175
US Class Current
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/104   Grouping of entities

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 9/3268   using certificate validatio...

Security system and method for internet of things infrastructure elements

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Security system and method for internet of things infrastructure elements

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others